If Maven Central used https for downloading artifacts, would verifying artifact signatures be necessary?

Question

From what I'm reading, it is a best practice to verify the authenticity of an artifact obtained from Central using the library author's public key to prevent man-in-the-middle attacks and things like that. It sounds like such a cumbersome process and it seems like other communities such as ruby with the rubygems repository have solved this by using https when accessing the repository.

If the Maven Central Repository used https, would that remove the need to verify artifacts? If so, why doesn't Central use https?

Answer 1

An https connection ensure that you're connected to the real Central but it doesn't tell you anything about where the artifacts originally came from. Those artifacts are uploaded by large numbers of developers. If any one of them had their password stolen, malicious artifacts could end up being uploaded. PGP offers two extra qualities: firstly, it is harder to steal a PGP key than to steal a password. Secondly, in case of a security breach, a PGP key can be revoked.

Of course, you're not accessing Central directly - you're going via a local proxy. Use of PGP means that you don't need to trust that proxy, and you can verify the PGP signatures yourself.

As an aside, for security in depth, SSL access to Central is available, for a small token payment: https://blog.sonatype.com/people/2012/10/now-available-ssl-connectivity-to-central/ .